botlearn-graduate
v1.0.0Guide users through a 7-day learning journey graduation by analyzing progress, identifying agent archetype, celebrating achievements, and planning personaliz...
⭐ 1· 269·0 current·0 all-time
by邢怀康@calvinxhk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Day‑7 graduation, archetype discovery, 4C analysis) align with the SKILL.md, README and manifest. Declared dependencies (@botlearn/openclaw-doctor, @botlearn/google-search) are plausible for scoring and resource discovery. No unrelated binaries, env vars, or external install steps are requested.
Instruction Scope
Runtime instructions explicitly direct the agent to collect Day‑1 baseline and Day‑7 current state by reading session logs, memory snapshots, workspace documents (e.g., SOUL.md, USER.md, AGENTS.md), skill usage, and configuration. That data access is appropriate for a retrospective, but it is sensitive (accesses user memory, logs, files). The skill does not instruct transmission to unknown external endpoints, but it does rely on internal APIs (memory/snapshots, clawhub) and may call the declared dependencies which could perform network queries.
Install Mechanism
Instruction-only skill with no install spec and no code execution payloads. No downloads/extraction or third‑party installers present. This is low risk from an installation perspective.
Credentials
Skill declares no required environment variables or primary credential. However, it depends on other @botlearn packages (openclaw-doctor, google-search) which themselves may require credentials or network access at runtime; the SKILL.md does not request secrets. The only proportionality consideration is that the skill legitimately needs access to internal agent memory, logs, files and the installed‑skills list—these are sensitive but relevant to the purpose.
Persistence & Privilege
always is false and the skill does not request permanent elevated presence. Scheduled behavior (notify at 7 days) is described but consistent with a graduation skill and does not indicate privileged escalation or modification of other skills' configs.
Assessment
This skill appears to do what it says: it will read your agent's Day‑1 snapshot (or reconstruct it), session logs, workspace documents (SOUL.md, USER.md, AGENTS.md), installed skills and usage to produce the Day‑7 report. Before installing, consider: 1) Are you comfortable with a skill reading your agent memory, session logs and workspace files? This is necessary for the retrospective but is sensitive data. 2) Check the provenance: the skill's homepage points to a GitHub repo in package.json, but the registry metadata lists source unknown—verify the author/repo if you require provenance. 3) Dependencies (@botlearn/openclaw-doctor, @botlearn/google-search) may perform additional network calls or require credentials—inspect those packages for any API key requirements before use. 4) The skill is instruction-only (no installer), so it won't drop binaries, but it may call internal APIs like /memory/snapshots and clawhub—ensure you trust those APIs and any downstream skills. 5) If you want to limit exposure, run the graduation in manual mode and review which snapshots or logs will be accessed; back up or redact any data you don't want included. Overall: coherent and expected behavior, but be aware and deliberate about allowing access to your agent's memories, logs, and files.Like a lobster shell, security has layers — review code before you run it.
latestvk97920as9hbsezz069ezja0vgd822axh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.